ローカルネットワーク実験を試しましたが、名前空間ネットワーク内でpingを実行できませんでした。
私はFedora 37を使用しています。
Linux dmitry-desktop 6.1.18-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Mar 11 16:09:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
次のエラーが発生します。
➜ sudo ip netns exec netns-test0 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
設定
➜ sudo ip netns add netns-test0
➜ sudo ip netns add netns-test1
➜ ls -la /var/run/netns
total 0
drwxr-xr-x. 2 root root 80 Mar 22 13:42 .
drwxr-xr-x. 63 root root 1.7K Mar 22 12:55 ..
-r--r--r--. 1 root root 0 Mar 22 13:42 netns-test0
-r--r--r--. 1 root root 0 Mar 22 13:42 netns-test1
➜ sudo ip link add eth00 type veth peer name eth01
➜ sudo ip link add eth10 type veth peer name eth11
➜ sudo ip link set eth00 up
➜ sudo ip link set eth01 up
➜ sudo ip link set eth01 netns netns-test0
➜ sudo ip link set eth11 netns netns-test1
➜ sudo ip netns exec netns-test0 ip link set lo up
➜ sudo ip netns exec netns-test0 ip link set eth01 up
➜ sudo ip netns exec netns-test0 ip addr 10.10.10.10/24 dev eth01
Command "10.10.10.10/24" is unknown, try "ip address help".
➜ sudo ip netns exec netns-test0 ip addr add 10.10.10.10/24 dev eth01
➜ sudo ip netns exec netns-test1 ip link set lo up
➜ sudo ip netns exec netns-test1 ip link set eth11 up
➜ sudo ip netns exec netns-test1 ip addr add 10.10.10.11/24 dev eth11
➜ sudo ip link add name br0 type bridge
➜ sudo ip addr add 10.10.10.1/24 brd + dev br0
➜ sudo ip link set br0 up
➜ sudo ip link set eth00 master br0
➜ sudo ip link set eth10 master br0
➜ sudo bridge link show br0
20: eth00@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2
22: eth10@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2
➜ sudo iptables -A FORWARD -i br0 -j ACCEPT
➜ sudo ip link set eth00 master br0
したがって、ルートネームスペースですべてのデバイスとbr0をpingできます。
➜ ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.057 ms
➜ ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.047 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=0.060 ms
➜ ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.053 ms
ただし、ネームスペースネットワーク内でpingを開始すると、パケットはフィルタリングされます。
➜ sudo ip netns exec netns-test0 ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.021 ms
➜ sudo ip netns exec netns-test0 ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.063 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.070 ms
➜ sudo ip netns exec netns-test0 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
➜ sudo ip netns exec netns-test1 ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data.
64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.018 ms
64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from 10.10.10.11: icmp_seq=3 ttl=64 time=0.036 ms
➜ sudo ip netns exec netns-test1 ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.075 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=0.075 ms
took 2s
➜ sudo ip netns exec netns-test1 ping 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
From 10.10.10.1 icmp_seq=4 Packet filtered
took 3s
✗ sudo ip netns exec netns-test1 ping 8.8.8.8
ping: connect: Network is unreachable
➜ sudo ip netns exec netns-test0 ping 8.8.8.8
ping: connect: Network is unreachable
➜ sudo ip -all netns exec ip route
netns: netns-test1
10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11
netns: netns-test0
10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10
➜ sudo ip -all netns exec ip route add default via 10.10.10.1
netns: netns-test1
netns: netns-test0
➜ sudo ip -all netns exec ip route
netns: netns-test1
default via 10.10.10.1 dev eth11
10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11
netns: netns-test0
default via 10.10.10.1 dev eth01
10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10
➜ sudo ip netns exec netns-test0 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Packet filtered
From 10.10.10.1 icmp_seq=2 Packet filtered
From 10.10.10.1 icmp_seq=3 Packet filtered
私のiptablesの設定
➜ _ iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
95 7810 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
95 7810 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
13 1226 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
15 956 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
67 5628 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
15 956 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
15 956 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
ファイアウォール:
➜ firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: br0 ens1f1 eth01 eth11 vpn0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
sudo nft リストルールセット
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "br0" goto mangle_PRE_FedoraWorkstation
iifname "eth11" goto mangle_PRE_FedoraWorkstation
iifname "eth01" goto mangle_PRE_FedoraWorkstation
iifname "vpn0" goto mangle_PRE_FedoraWorkstation
iifname "ens1f1" goto mangle_PRE_FedoraWorkstation
iifname "docker0" goto mangle_PRE_docker
goto mangle_PRE_FedoraWorkstation
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "br0" goto nat_PRE_FedoraWorkstation
iifname "eth11" goto nat_PRE_FedoraWorkstation
iifname "eth01" goto nat_PRE_FedoraWorkstation
iifname "vpn0" goto nat_PRE_FedoraWorkstation
iifname "ens1f1" goto nat_PRE_FedoraWorkstation
iifname "docker0" goto nat_PRE_docker
goto nat_PRE_FedoraWorkstation
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "br0" goto nat_POST_FedoraWorkstation
oifname "eth11" goto nat_POST_FedoraWorkstation
oifname "eth01" goto nat_POST_FedoraWorkstation
oifname "vpn0" goto nat_POST_FedoraWorkstation
oifname "ens1f1" goto nat_POST_FedoraWorkstation
oifname "docker0" goto nat_POST_docker
goto nat_POST_FedoraWorkstation
}
chain nat_POSTROUTING_POLICIES_post {
}
chain nat_OUTPUT {
type nat hook output priority -90; policy accept;
jump nat_OUTPUT_POLICIES_pre
jump nat_OUTPUT_POLICIES_post
}
chain nat_OUTPUT_POLICIES_pre {
}
chain nat_OUTPUT_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_ZONES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "br0" goto filter_IN_FedoraWorkstation
iifname "eth11" goto filter_IN_FedoraWorkstation
iifname "eth01" goto filter_IN_FedoraWorkstation
iifname "vpn0" goto filter_IN_FedoraWorkstation
iifname "ens1f1" goto filter_IN_FedoraWorkstation
iifname "docker0" goto filter_IN_docker
goto filter_IN_FedoraWorkstation
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_ZONES {
iifname "br0" goto filter_FWD_FedoraWorkstation
iifname "eth11" goto filter_FWD_FedoraWorkstation
iifname "eth01" goto filter_FWD_FedoraWorkstation
iifname "vpn0" goto filter_FWD_FedoraWorkstation
iifname "ens1f1" goto filter_FWD_FedoraWorkstation
iifname "docker0" goto filter_FWD_docker
goto filter_FWD_FedoraWorkstation
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_FedoraWorkstation {
jump filter_INPUT_POLICIES_pre
jump filter_IN_FedoraWorkstation_pre
jump filter_IN_FedoraWorkstation_log
jump filter_IN_FedoraWorkstation_deny
jump filter_IN_FedoraWorkstation_allow
jump filter_IN_FedoraWorkstation_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_FedoraWorkstation_pre {
}
chain filter_IN_FedoraWorkstation_log {
}
chain filter_IN_FedoraWorkstation_deny {
}
chain filter_IN_FedoraWorkstation_allow {
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 22 ct state { new, untracked } accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 ct state { new, untracked } accept
udp dport 138 ct state { new, untracked } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
udp dport 1025-65535 ct state { new, untracked } accept
tcp dport 1025-65535 ct state { new, untracked } accept
}
chain filter_IN_FedoraWorkstation_post {
}
chain nat_POST_FedoraWorkstation {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_FedoraWorkstation_pre
jump nat_POST_FedoraWorkstation_log
jump nat_POST_FedoraWorkstation_deny
jump nat_POST_FedoraWorkstation_allow
jump nat_POST_FedoraWorkstation_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_FedoraWorkstation_pre {
}
chain nat_POST_FedoraWorkstation_log {
}
chain nat_POST_FedoraWorkstation_deny {
}
chain nat_POST_FedoraWorkstation_allow {
}
chain nat_POST_FedoraWorkstation_post {
}
chain filter_FWD_FedoraWorkstation {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_FedoraWorkstation_pre
jump filter_FWD_FedoraWorkstation_log
jump filter_FWD_FedoraWorkstation_deny
jump filter_FWD_FedoraWorkstation_allow
jump filter_FWD_FedoraWorkstation_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_FedoraWorkstation_pre {
}
chain filter_FWD_FedoraWorkstation_log {
}
chain filter_FWD_FedoraWorkstation_deny {
}
chain filter_FWD_FedoraWorkstation_allow {
}
chain filter_FWD_FedoraWorkstation_post {
}
chain nat_PRE_FedoraWorkstation {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_FedoraWorkstation_pre
jump nat_PRE_FedoraWorkstation_log
jump nat_PRE_FedoraWorkstation_deny
jump nat_PRE_FedoraWorkstation_allow
jump nat_PRE_FedoraWorkstation_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_FedoraWorkstation_pre {
}
chain nat_PRE_FedoraWorkstation_log {
}
chain nat_PRE_FedoraWorkstation_deny {
}
chain nat_PRE_FedoraWorkstation_allow {
}
chain nat_PRE_FedoraWorkstation_post {
}
chain mangle_PRE_FedoraWorkstation {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_FedoraWorkstation_pre
jump mangle_PRE_FedoraWorkstation_log
jump mangle_PRE_FedoraWorkstation_deny
jump mangle_PRE_FedoraWorkstation_allow
jump mangle_PRE_FedoraWorkstation_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_FedoraWorkstation_pre {
}
chain mangle_PRE_FedoraWorkstation_log {
}
chain mangle_PRE_FedoraWorkstation_deny {
}
chain mangle_PRE_FedoraWorkstation_allow {
}
chain mangle_PRE_FedoraWorkstation_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_docker {
jump filter_INPUT_POLICIES_pre
jump filter_IN_docker_pre
jump filter_IN_docker_log
jump filter_IN_docker_deny
jump filter_IN_docker_allow
jump filter_IN_docker_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_docker_pre {
}
chain filter_IN_docker_log {
}
chain filter_IN_docker_deny {
}
chain filter_IN_docker_allow {
}
chain filter_IN_docker_post {
}
chain nat_POST_docker {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_docker_pre
jump nat_POST_docker_log
jump nat_POST_docker_deny
jump nat_POST_docker_allow
jump nat_POST_docker_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_docker_pre {
}
chain nat_POST_docker_log {
}
chain nat_POST_docker_deny {
}
chain nat_POST_docker_allow {
}
chain nat_POST_docker_post {
}
chain filter_FWD_docker {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_docker_pre
jump filter_FWD_docker_log
jump filter_FWD_docker_deny
jump filter_FWD_docker_allow
jump filter_FWD_docker_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_docker_pre {
}
chain filter_FWD_docker_log {
}
chain filter_FWD_docker_deny {
}
chain filter_FWD_docker_allow {
oifname "docker0" accept
}
chain filter_FWD_docker_post {
}
chain nat_PRE_docker {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_docker_pre
jump nat_PRE_docker_log
jump nat_PRE_docker_deny
jump nat_PRE_docker_allow
jump nat_PRE_docker_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_docker_pre {
}
chain nat_PRE_docker_log {
}
chain nat_PRE_docker_deny {
}
chain nat_PRE_docker_allow {
}
chain nat_PRE_docker_post {
}
chain mangle_PRE_docker {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_docker_pre
jump mangle_PRE_docker_log
jump mangle_PRE_docker_deny
jump mangle_PRE_docker_allow
jump mangle_PRE_docker_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_docker_pre {
}
chain mangle_PRE_docker_log {
}
chain mangle_PRE_docker_deny {
}
chain mangle_PRE_docker_allow {
}
chain mangle_PRE_docker_post {
}
}
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 4 bytes 230 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 22340 bytes 10759965 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 42 bytes 3674 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2
counter packets 98 bytes 8062 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 15 bytes 956 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 98 bytes 8062 jump DOCKER-USER
counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 70 bytes 5880 accept
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
iifname "br0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 98 bytes 8062 return
}
}
だからこれが以下のIPフィルタと関連があるようです。
➜ sudo nft list table ip filter
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2
counter packets 98 bytes 8062 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 15 bytes 956 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 98 bytes 8062 jump DOCKER-USER
counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 70 bytes 5880 accept
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
counter packets 0 bytes 0
iifname "br0" counter packets 0 bytes 0 accept
iifname "br0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 98 bytes 8062 return
}
}
答え1
IPv4への参照を制限します(IPv6またはARPも影響を受けますが、OPはIPv6を使用せず、ARPのデフォルトのファイアウォールはありません)。
ルーストアバウト依存してロードカーネルモジュールbr_netfilter
同じLAN上の2つのコンテナ間でもコンテナの分離を適切に制御します。
これにより、NetfilterはIPv4フックを呼び出すことができます。ブリッジIPv4タイプのフレーム。これは文書化されていますが、iptables、nftables同じNetfilter APIと対応するIPv4フック(したがってip
純粋なIPv4ファミリとinet
ハイブリッドIPv4 + IPv6ファミリ)を使用すると、同じ影響を受けます。結果は以下の通りです。
完全にロードされるとbr_netfilter
、iptablesそしてnftablesIPv4ネットワーク層(緑色の領域の緑色のボックス)で一般的に使用されるIPv4コンポーネント(小さな緑色のボックス)は、ブリッジリンク層の場合(青い領域の緑色のボックス)にも使用されます。
だからブリッジ額縁ファイアウォールで保護iptablesフィルター/FORWARDチェーン。 OPは通常、不要な作業を行いました。br_netfilter
ブリッジされたフレームはiptablesのフィルタ/転送を通過しません。
sudo iptables -A FORWARD -i br0 -j ACCEPT
これにより、FORWARDチェーンでDockerによってインストールされたデフォルトのDROPポリシーをバイパスできます。ブリッジフレーム。実際にDockerが登場したら、DOCKER-USER
代わりにこのルールをチェーンに挿入(追加ではない)する必要があります。
sudo iptables -I DOCKER-USER -i br0 -j ACCEPT
ただし、同じ操作を実行する別のフックによってファイアウォールが制限されます。ここでは純粋です。nftablesこの表を使用してFirewalldによってインストールされますinet firewalld
。この部分はブリッジパケットを拒否します。
table inet firewalld {
...
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
...
reject with icmpx admin-prohibited
}
最後に、パケットは最初(iptables)転送フックがありますが、2番目のフックでは拒否されました(Firewalldnftables)フロントフック。
iptables
ここでは、(OPのコマンドに加えて)rootとして実行し、次を使用します。nftables:
nft insert rule inet firewalld filter_FORWARD iifname br0 oifname br0 accept
2番目のフックのフレームもルールが上書きされるまで許可されます。この設定は、Firewalldの独自の構成に追加する必要があります。
FirewalldがOP設定に変更されたFedora 37コンテナ(およびbr_netfilter
ホストにロードされたモジュール)でテストする方法は次のとおりです。 Firewalldがインターフェイスの転送許可ルールを追加し、br0
pingが機能するようにする方法は次のとおりです。
firewall-cmd --zone=FedoraWorkstation --remove-interface=br0
firewall-cmd --zone=FedoraWorkstation --remove-interface=br0 --permanent
firewall-cmd --zone=trusted --add-interface=br0
firewall-cmd --zone=trusted --add-interface=br0 --permanent
適切なセキュリティ規則を持ついくつかのカスタム領域を使用する必要があります。
一部のStack Exchangeリンクでは、関連するDockerの質問に回答しました。